Based on these reports and other information, board members or the compliance or audit committee should determine whether the entity allocates sufficient resources to the program and whether compliance staff have a direct affiliation with the board or an appropriate committee of the board.5 They should also determine whether the compliance plan adequately covers all areas of the entity. The purpose of internal controls is to provide both procedures that implement compliance program requirements and to create a self-reinforcing cycle of compliance improvement. Compliance policies set the standard, while internal controls implement and reinforce that standard. Through this mechanism, compliance can be positively improved and strengthened over time. Prosecutors should try to determine whether a company`s compliance program is just a “paper-based program” or whether it was designed and implemented effectively. In addition, prosecutors should determine whether the company has provided enough employees to review, document, analyze, and use the results of the company`s compliance efforts. Make sure the “compliance officer” is clearly identified within your organization. This person (who may also work in another role, such as Chief Legal Officer or Chief Risk Officer) is responsible for tracking compliance changes as they occur, as well as putting processes in place to monitor compliance. Sometimes the standards for financial transactions are enshrined in the law of a particular jurisdiction. For example, several U.S. states require PCI DSS compliance (for example, Nevada and Washington).

The importance of appropriate training is reinforced on the international scene. In addition to the normal problem of adequately communicating compliance requirements, training often needs to address local practices and different cultural norms that may be contrary to the organization`s compliance requirements. It is equally important to find the best way to emphasize the importance of complying with U.S. law, which may seem of limited importance to many foreigners because they are outside U.S. territory. Language difficulties also complicate matters, so it is imperative to provide compliance materials and training in languages other than English. As evidenced by ZTE`s record export control fine (nearly $1.2 billion, followed by a denial of export privileges) and Panasonic`s FCPA regulations, the risk of tough enforcement action under the Trump administration for violating international regulations remains high. Nevertheless, many multinationals face a dilemma as to how best to implement their international regulatory risk management. They may know they are at increased risk, but they don`t know how best to proceed.

This section of the Customer Alert summarizes typical steps that most multinationals should consider when assessing their international regulatory risk management procedures and internal controls. By carefully implementing these measures, most multinational organizations should be able to implement the types of compliance that U.S. regulators would consider industry best practices. The UK Modern Slavery Act 2015 also applies to companies based or operating outside the UK, as long as a company in its wider group structure (e.g. a subsidiary) is “doing business” in the UK. When accepting payments and bank transfers, a number of rules apply internationally. The Payment Card Industry Data Security Standard (PCI DSS) is a set of security rules for organizations that manage major credit cards. This applies to businesses, wherever they are in the world, as credit card companies must use their services. All major credit cards, including Visa, Mastercard, and American Express, require businesses to comply with PCI DSS. No compliance initiative will work without proper support.

This issue is addressed in the McNulty Memorandum. As the McNulty memorandum indicates, it is often a mistake to assume that compliance can only be managed from a central location. While compliance initiatives can come from a central legal or compliance department and are often best managed centrally, implementation and oversight often require on-site attention. As a result, it is often necessary to create a compliance infrastructure that includes compliance contacts. Identifying red flags is not a static process. The type of red flags to be identified depends on the profile of the company, whether it uses controlled technology or sells/exports controlled goods, its interactions with international regulators, the industry in which it operates, how it operates, and other unique factors. As a starting point for identification, common red flags for the CAPF, export controls and economic sanctions are appended to this International Compliance Guide. It`s a good idea for an organization to tailor these red flags to its own risk profile and then distribute them to employees in the company. Compliance shouldn`t be an afterthought for your business: don`t start by developing the optimal business process and then verify that it meets compliance requirements. Instead, consider compliance requirements when developing your business approach. For example, “privacy by design” is a requirement of the GDPR. This means that all companies need to think about how to collect and protect customers` personal data in a compliant manner when considering implementing a new process.

Compliance policies and processes will fail without clearly communicating these requirements to all members of the organization. Ensure that all employees, from the board level to the board, are aware and understand their compliance responsibilities: organize training and education programs and schedule regular checks to ensure everyone is on board. How can in-house counsel, corporate secretaries, and legal and compliance teams work together to measure compliance and keep the company and its entities legally able to operate in any jurisdiction? The following seven steps provide a solid framework for success. There is a validation and monitoring framework for compliance with this standard. Failure to comply can result in significant fines and penalties for card companies. As recent enforcement actions under the Trump administration demonstrate, enforcement of this set of international regulatory laws is alive and well. In light of these developments, this note to clients summarizes recent enforcement actions as well as actions that businesses subject to U.S. jurisdiction can take to identify and mitigate the risk of costly enforcement actions under these regulatory regimes. Companies should also think carefully about the length of the written program.